My "Mac App Distribution" certificate will expire in a couple of weeks. When this happens, will my applications cease to function properly?
This has been asked a lot, except in my situation, my applications are not distributed through the Mac App Store.
Users can still download, install, and run versions of your Mac apps that were signed with your certificate before it expired. However, you’ll need new Developer ID certs to sign updates and create new apps.
Developer ID signatures carry cryptographic timestamps by default.
Signatures with cryptographic timestamps are validated against the
signing time, and signatures made with expired (at signing time)
certificates are invalid.
OS X Code Signing In Depth
Replacing Expired Certificates
Related
I'm distributing my macOS app outside the App Store and so far I've never code-signed it. My app targets advanced users who know how to configure macOS to allow the app to run.
With the arrival of the Apple M1 computers, however, things have changed as code-signing seems to be mandatory now for native Apple Silicon apps. That's why I'd like to ask: Is it sufficient to sign my app using a self-signed certificate when distributing it outside the App Store? Will it be possible for users who download an app that was signed using a self-signed certificate to run that app?
I'd expect that Gatekeeper will probably block such an app first because it was signed using a self-signed certificate but will users be able to override Gatekeeper's veto in the security settings (as it was previously the case with non-signed apps)?
Or do all apps built for Apple Silicon have to be signed with an official Apple certificate? I'd like to avoid that because last time I checked this was $99 per year.
You can codesign with ad-hoc feature. codesign -s - -f /path/to/filename. This doesn't need certificate.
I have created an electron app. Now I want to sign code for both windows and mac platform. But I have only go daday pfx certificate.I successfully signed code using pfx certificate from go daday in windows platform. So,Can I sign an electron app on macos platform using go daday certificate?
You can sign a macOS app with a GoDaddy code-signing certificate, but it probably won't do what you want. Here's what Apple's developer documentation says (with my emphasis added):
Note: Apple uses the industry-standard form and format of code signing
certificates. Therefore, if your company already has a third-party
signing identity that you use to sign code on other systems, you can
use it with the macOS codesign command. Similarly, if your company is
a certificate issuing authority, contact your IT department to find
out how to get a signing certificate issued by your company. However,
while these valid certificates allow you to sign your code, you can
only distribute through the App Store or through the Developer ID
program when you sign with a certificate issued by Apple.
So, the question is: how is your application going to be distributed to users' computers?
If it's sold through Apple's App Store, you need to become an Apple Developer, get a Mac App Distribution certificate from Apple, and sign the app with that before submitting it to Apple.
If it's distributed outside Apple's App Store (e.g. via web download), then you also need to become an Apple developer, get a Developer ID certificate, and use that to sign it. If you don't sign it with the right kind of certificate, Gatekeeper will prevent users from opening the app unless they go through a special procedure to trust the app.
Either way, you need to join the Apple Developer program, and use an Apple-issued code signing certificate to sign the macOS version of your app.
Will I need to create a new Developer Id Application signature?
Or is the existing one will still be valid after WWDR intermediate certificate expiration? (14 Feb) I'm using it for mac osx applications.
You do not need to create any new Developer ID, Development Certificate , Production certificate after expiration of WWDR Intermediate Certificate.
Do I need to regenerate any of my certificates?
No. Your existing
certificates will work with both the expiring and the renewed
intermediate certificate.
If you still face any issue with your iOS Apps , Mac Apps, Safari Extension, Apple Wallet and Safari Push Notifications, then please follow this link of WWDR Intermediate Certificate expiration.
Our company develops our application for both Mac OS X and Windows. We have an existing purchased code signing certificate from a non-Apple authority we use to ID our Windows installers. We distribute both our DMGs & MSIs through our own company website.
The code signing guide for Mountain Lion's new Gatekeeper feature seems to imply that a non-Apple issued standard certificate would work, though I could be misinterpreting what "third-party" means in this case:
Note: Apple uses the industry-standard form and format of code signing
certificates. Therefore, if your company already has a third-party
signing identity that you use to sign code on other systems, you can
use it with the OS X codesign command...
Is it possible to use this non-Apple certificate, and if so, how could it be incorporated using the command line "codesign" command?
Cannot take credit for this, but the blunt answer is:
NO
I just spent a good three days converting certificates and searching the internets to find these:
http://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/
http://www.panic.com/blog/2012/02/about-gatekeeper/
http://arstechnica.com/apple/2012/02/developers-gatekeeper-a-concern-but-still-gives-power-users-control/
No.
The reason it will not work is: To pass through GateKeeper, you need a code signing certificate which is signed with your Apple Developer ID. This is not the same as a regular code signing certificate issued to your company. Only Apple issues Apple Developer IDs. (Or at least, at the time of this writing.)
This is very confusing because:
The company we bought the code signing certificate from specifically claimed it works with MacOS. But what they meant was we could sign Apple code technically speaking. But passing GateKeeper is different. (Unclear marketing to say the least.)
At this time, there are unclear Apple docs which talk about signing code with 3rd party certificates. Ex: https://developer.apple.com/library/mac/documentation/security/conceptual/CodeSigningGuide/Procedures/Procedures.html
However, while you can sign the code, it does not pass GateKeeper! Again, this may refer to either internal corporate application use, or it may just be out of date.
Gatekeeper only recognises Apple digital certificates. Windows only recognises Comodo, Verisign and a few other signing authorities. So you need to buy a Comodo (or similar) certificate for Windows and pay $99 per year for the Apple developer program so you can get an Apple certificate as well. It is rather annoying, to say the least.
I build an OSX app which is distributed as a DMG outside of the Mac App Store, and I'd like to continue to have it be that way once Gatekeeper enforcement begins.
From studying code signing documentation, it looks like the recommended approach is to get a "Developer ID" certificate and use that to codesign. However, you must be a registered OSX developer and pay Apple $99 each year. I already have a certificate from a recognized CA, and I would like to use it with codesign. I found documentation on how to do this, but I cannot tell whether Gatekeeper will allow applications signed using certs issued by other CAs, not Apple.
Does anyone know?
Gatekeeper only recognizes apps signed with Developer ID, not just any signature. See this which also explains how to test Gatekeeper functionality under Lion.
The point is that if Apple owns the certificate authority, they can revoke the certificate if your app turns out to be a trojan or something.